IKE Phase 1 Exchange

The Phase 1 exchange is known as Main Mode. In the Phase 1 exchange, IKE uses public key encryption
methods to authenticate itself with peer IKE entities. The result is an Internet
Security Association and Key Management Protocol (ISAKMP) security association
(SA). An ISAKMP SA is a secure channel for IKE to negotiate keying material
for the IP datagrams. Unlike IPsec SAs, the ISAKMP SAs are bidirectional,
so only one security association is needed.

How
IKE negotiates keying material in the Phase 1 exchange is configurable. IKE
reads the configuration information from the /etc/inet/ike/config file.
Configuration information includes the following:

Global parameters, such as the names of public key certificates

Whether perfect forward secrecy (PFS) is used

The interfaces that are affected

The security protocols and their algorithms

The authentication method

The two authentication methods are preshared keys and public key certificates.
The public key certificates can be self-signed. Or, the certificates can be
issued by a certificate authority (CA) from
a public key infrastructure (PKI) organization.
Organizations include beTrusted, Entrust, GeoTrust, RSA Security, and Verisign.